New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Page's title should be encoded or filtering html entities/javascript code #271
Comments
|
Hi @kuqadk3 wp-statistics/includes/functions/functions.php Line 1971 in 72f0b64
to
and tell me feedback. |
|
WoW. Nice. Quick fix. That fix the xss in Overview and Pages. Categories and Author is also affected and still affected. Sorry for not mention them in first place. |
|
I think we need to esc_html all those that do $post_obj->post_title |
|
@kuqadk3 |
|
Hi! Ryan from wpvulndb.com here. Do you know when the next version will be released which includes this patch? We'd like to add the vulnerability to our database, but would prefer to do so once it has been patched. Thanks! |
|
Hi @ethicalhack3r, The new version will be released until Friday. |
I was testing on :
Account with Editor role can create Post with Title that contain javascript/html. For example :
<script>alert(document.cookie)</script>WP statistics page that use these title will got affected for xss attack, for example : overviews, pages,...
Even if the Editor delete the Post, but it still remain in top 10 page that got most hit, the Overviews page still be affected. So in reality, attacker that controls the Editor account can create page with title that contains maclious javascript code that steal admin cookie (for example), visit it a lot that make it be in top 10 page most visited, delete the post so admin wont notice the weird post that have javascript in title. And when admin click on Overviews page of WP Statistic, his cookie will be stolen.
The text was updated successfully, but these errors were encountered: